VPN is used to create a private network from a public internet connection to protect your data.

VPN uses an encrypted tunnel to send and receive data securely.

strongSwan is one of the most famous VPN software that supports various operating systems including Linux, OS X, FreeBSD, Windows, Android and iOS.

It uses the IKEv1 and IKEv2 protocols to securely establish a connection.

You can extend its functionality with built-in plugins.

In this guide, we will explain step by step instructions for setting up a KEv2 VPN Server with StrongSwan on Ubuntu 20.04.

Prerequisites

• Two systems running an Ubuntu 20.04 server
• Root password configured on both servers

StrongSwan installation

By default, StrongSwan is available in the default Ubuntu 20.04 repository.

You can install it with other required components using the following command:

                      apt-get install install strongswan strongswan-pki libcharon-extra-plugins libcharon-extauth-plugins libstrongswan-extra-plugins -y
                    

Once all packages have been installed, you can proceed to create a CA certificate.

How to create a certificate for a VPN server

Then you will need to generate a certificate and key for the VPN server to authenticate the server on the client side.

First, create a private key for the root CA with the following command:

                      ipsec pki --gen --size 4096 --type rsa --outform pem > /etc/ipsec.d/private/ca.key.pem
                    

Then create a root CA and sign it using the above key:

                      ipsec pki --self --in /etc/ipsec.d/private/ca.key.pem --type rsa --dn "CN=My VPN Server CA" --ca --lifetime 3650 --outform pem > /etc/ipsec.d/cacerts/ca.cert.pem
                    

Then create a private key for the VPN server using the following command:

                      ipsec pki --gen --size 4096 --type rsa --outform pem > /etc/ipsec.d/private/server.key.pem
                    

Finally, generate a server certificate using the following command:

                      ipsec pki --pub --in /etc/ipsec.d/private/server.key.pem --type rsa | ipsec pki --issue --lifetime 2750 --cacert /etc/ipsec.d/cacerts/ca.cert.pem --cakey /etc/ipsec.d/private/ca.key.pem --dn "CN=vpn.domain.com" --san="vpn.domain.com" --flag serverAuth --flag ikeIntermediate --outform pem > /etc/ipsec.d/certs/server.cert.pem
                    

At this point, all certificates are ready for your VPN server.

StrongSwan VPN setup

The default strongswan configuration file is /etc/ipsec.conf.

We can back up the main config file and create a new file:

                      mv /etc/ipsec.conf /etc/ipsec.conf-bak
                    

Then create a new config file:

                      nano /etc/ipsec.conf
                    

Add the following config and conn settings:

                      config setup
        charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2"
        strictcrlpolicy=no
        uniqueids=yes
        cachecrls=no

conn ipsec-ikev2-vpn
      auto=add
      compress=no
      type=tunnel
      keyexchange=ikev2
      fragmentation=yes
      forceencaps=yes
      dpdaction=clear
      dpddelay=300s
      rekey=no
      left=%any
      [email protected]
      leftcert=server.cert.pem
      leftsendcert=always 
      leftsubnet=0.0.0.0/0
      right=%any
      rightid=%any
      rightauth=eap-mschapv2
      rightsourceip=10.10.10.0/24
      rightdns=8.8.8.8
      rightsendcert=never
      eap_identity=%identity
                    

Save and close the /etc/ipsec.conf file.

Next, you will need to define the EAP user credentials and RSA private keys for authentication.

You can customize it by editing the /etc/ipsec.secrets file:

                      nano /etc/ipsec.secrets
                    

Add the following line:

                      : RSA "server.key.pem"
vpnsecure : EAP "password"
                    

Then restart the StrongSwan service as follows:

                      systemctl restart strongswan-starter
                    

To enable StrongSwan to start at system boot, enter:

                      systemctl enable strongswan-starter
                    

Check the status of the VPN server, enter:

                      systemctl status strongswan-starter
                    

How to enable packet forwarding

Then you will need to configure your kernel to enable packet forwarding by editing the /etc/sysctl.conf file:

                      nano /etc/sysctl.conf
                    

Uncomment the following lines:

                      net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
                    

Save and close the file, then reload the new settings using the following command:

                      sysctl -p
                    

StrongSwan client installation and configuration

In this section, we will install the StrongSwan client on a remote computer and connect to the VPN server.

First install all required packages using the following command:

                      apt-get install strongswan libcharon-extra-plugins -y
                    

After installing all the packages, stop the StrongSwan service with the following command:

                      systemctl stop strongswan-starter
                    

Then you will need to copy the ca.cert.pem file from the VPN server to the /etc/ipsec.d/cacerts/ directory.

You can copy it using the SCP command as shown below:

                      scp [email protected]:/etc/ipsec.d/cacerts/ca.cert.pem /etc/ipsec.d/cacerts/
                    

Use the /etc/ipsec.secrets file to configure VPN client authentication:

                      nano /etc/ipsec.secrets
                    

Add the following line:

                      vpnsecure : EAP "password"
                    

Then edit the main strongSwan config file:

                      nano /etc/ipsec.conf
                    

Add the following lines corresponding to your domain and password that you specified in your /etc/ipsec.secrets file.

                      conn ipsec-ikev2-vpn-client
    auto=start
    right=vpn.domain.com
    rightid=vpn.domain.com
    rightsubnet=0.0.0.0/0
    rightauth=pubkey
    leftsourceip=%config
    leftid=vpnsecure
    leftauth=eap-mschapv2
    eap_identity=%identity
                    

Now start the StrongSwan VPN service using the following command:

                      systemctl start strongswan-starter
                    

Then check the status of the VPN connection with the following command:

                      ipsec status
                    

You should get the following output:

                      Security Associations (1 up, 0 connecting):
ipsec-ikev2-vpn-client[1]: ESTABLISHED 28 seconds ago, 104.245.32.158[vpnsecure]...104.245.33.84[vpn.domain.com]
ipsec-ikev2-vpn-client{1}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: ca6f451c_i ca9f9ff7_o
ipsec-ikev2-vpn-client{1}: 10.10.10.1/32 === 0.0.0.0/0
                    

The above output shows that a VPN connection is established between the client and the server, and the client computer is assigned an IP address of 10.10.10.1.

You can also confirm your new IP address with the following command:

                      ip a
                    

You should get the following output:

                      eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:00:68:f5:20:9e brd ff:ff:ff:ff:ff:ff
inet 104.245.32.158/25 brd 104.245.32.255 scope global eth0
valid_lft forever preferred_lft forever
inet 10.10.10.1/32 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::200:68ff:fef5:209e/64 scope link
valid_lft forever preferred_lft forever
                    

Conclusion

In the tutorial above, we learned how to set up a StrongSwan VPN server and client on Ubuntu 20.04.

Now you can protect your online activities.